mirror of
https://github.com/torvalds/linux.git
synced 2024-12-29 14:21:47 +00:00
capabilities: introduce security_capable_noaudit
Exactly like security_capable except don't audit any denials. This is for places where the kernel may make decisions about what to do if a task has a given capability, but which failing that capability is not a sign of a security policy violation. An example is checking if a task has CAP_SYS_ADMIN to lower it's likelyhood of being killed by the oom killer. This check is not a security violation if it is denied. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
This commit is contained in:
parent
b7e724d303
commit
c7eba4a975
@ -1668,6 +1668,8 @@ int security_capset(struct cred *new, const struct cred *old,
|
||||
const kernel_cap_t *permitted);
|
||||
int security_capable(const struct cred *cred, struct user_namespace *ns,
|
||||
int cap);
|
||||
int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
|
||||
int cap);
|
||||
int security_real_capable(struct task_struct *tsk, struct user_namespace *ns,
|
||||
int cap);
|
||||
int security_real_capable_noaudit(struct task_struct *tsk,
|
||||
@ -1869,6 +1871,11 @@ static inline int security_capable(const struct cred *cred,
|
||||
return cap_capable(cred, ns, cap, SECURITY_CAP_AUDIT);
|
||||
}
|
||||
|
||||
static inline int security_capable_noaudit(const struct cred *cred,
|
||||
struct user_namespace *ns, int cap) {
|
||||
return cap_capable(cred, ns, cap, SECURITY_CAP_NOAUDIT);
|
||||
}
|
||||
|
||||
static inline int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, int cap)
|
||||
{
|
||||
int ret;
|
||||
|
@ -160,6 +160,12 @@ int security_capable(const struct cred *cred, struct user_namespace *ns,
|
||||
return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT);
|
||||
}
|
||||
|
||||
int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
|
||||
int cap)
|
||||
{
|
||||
return security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT);
|
||||
}
|
||||
|
||||
int security_real_capable(struct task_struct *tsk, struct user_namespace *ns,
|
||||
int cap)
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user